This year it seemed like the media reported a new data breach on a weekly basis—Target, Neman Marcus, PF Chang’s, Home Depot, JP Morgan, Michaels—prompting 2014 to be dubbed “The Age of the Hacks” by news outlets. And don’t get us started on selfie-gate.
While these retail hacks are newsworthy due to the number of users affected, they drown out the real cyber security threats small businesses face. There are many; check out these statistics:
- SMB websites have a 20 percent chance of falling victim to cybercrime each year, according to the National Cyber Security Alliance.
- 30 percent of targeted cyber-attacks were directed at businesses with fewer than 250 seats, citing a 2014 report from Symantec.
- 60 percent of United Kingdom SMBs reported a cyber-security breach in 2013, according to government numbers.
Websites are prime targets. Since most small business owners maintain their own websites, and are hard-pressed to find the time to simply maintain the site, it is no surprise that many are unaware of how vulnerable their site is to attacks. For most instances, it’s a combination of lack of understanding about security, and disbelief that a cybercriminal would target their site out of 27 million business sites on the Internet.
Hackers target SMB websites because they’re easy and have valuable information.
Cybercriminals are after the username/password logons used by customers or clients. Since users often have the same logon information for several sites and services, if a cybercriminal can snatch the username/password a client uses for an SMB site, chances are good that the same combination will work on other things, like e-mail or online banking. Cybercriminals hack SMB sites to spread malicious files as well.
“The most common problem we see affecting SMB websites is malicious code being saved to their web presentation space and distributed from there,” says Avast Threat Intelligence Analyst, Michael Salat. Perhaps you have noticed an otherwise out of place link to an adult site or a pharmaceutical store—that’s a tell-tale sign that site hacking has taken place.
“SMBs generally don’t have the resources that larger enterprises do to manage PC, web, mobile and infrastructure security,” says Tyler Moffitt, senior threat research analyst at Webroot. “To mitigate significant business risks, including protecting their website, a properly layered defense with effective endpoint and web security and monitoring needs to be in place.”
Moffitt was kind enough to go into detail about five things an SMB can do to better secure its website.
- Take Advantage of DNS provider’s security features. The domain name system can be a weakness in a company’s online presence. Not only do they need to manage and protect their own domains, but any certificates that the company relies on must be protected as well. If an SMB buys its own domains, they should ask their provider who’s managing it and make sure they have extra security precautions in place, like two-factor authentication.
- Update your web script constantly and use security plugins. Upgrade whenever there is a new version of your script available. Be sure to do it as soon as the upgrade is released, regardless if the upgrade contains new features of not. Even simple point upgrades will fix bugs in the script. Plugins can boost the core functionality of your web site’s script. Look to add plugins that will add extra security and install them.
- Change your database table prefix. If your website uses a blog or forum script, you can change the default database table prefix. For example, a WordPress blog carries the table prefix “wp.” If you change your table prefix, hackers will have a harder time getting data from your website.
- Delete your installation folders. Once you have completed the installation, it is not necessary to have the installer folder on your computer. It is possible for a hacker to remotely get into your computer and run the installer again. Once they get in, they can empty your database and control your website and content. Another option is to rename the installation folder rather than delete it.
- Train your staff to be vigilant. The threat here really comes from the fact that many employees still do not realize how sophisticated such attacks can be, and will continue to play a key role in [a cybercriminal] gaining access to an organization’s website, server or data. Social engineering attacks use real life events or communications coming from a known source as phishing emails are often indistinguishable from genuine requests. To combat this, organizations should take a layered approach to network security—from server-level encryption and device-level antivirus with anti-phishing protection, to educating employees on security practices.
On a related note, here are a few tips about training up your staff to be vigilant of phishing attacks: 10 Steps for Anti-Phishing Training.
We’d love to hear about the little things you do for website security in the comments section below.